Jump to content

Enforce *any* 2FA/MFA method through account policies


Sahbi
 Share

Recommended Posts

Currently the User Account Policies only allow you to enforce one specific method for 2-factor authentication, such as Duo or TOTP. This means that you'd have to keep track of every individual user and their preferred method, then create separate policies for every "group". This is quite a hassle, so perhaps a better option would be to enforce using any method. The dropdown list could simply include something along the lines of "anything besides Ignore".

 

For the very first logon, Passwordstate can simply use the global default setting (e.g. TOTP), or if the admin has overridden it in some way then use that method instead. Afterwards the user can simply change it to something else, as long as it's not "Only Forms Based".

Link to comment
Share on other sites

  • 4 months later...

Hi Guys,

 

We're not sure how this would work if we implemented it i.e. how would we know which authentication screen to direct them to?

 

Did you know user's can specify their own Authentication option on their Preferences screen? And on the screen Aministration -> System Settings -> Authentication Options tab, there is the option "Hide the following Authentication Options on User's Preferences screen" which can also be used.

Regards

Click Studioos

Link to comment
Share on other sites

On 3/23/2021 at 1:26 AM, support said:

We're not sure how this would work if we implemented it i.e. how would we know which authentication screen to direct them to?

Well I was thinking along these lines:

  1. Admin sets a policy for "any MFA required". This could either be literally any, or a list of allowed methods like Josh-Hemphill said. The latter is probably preferred by most though.
  2. Admin changes the system authentication settings to hide undesired methods. I'm not 100% sure if you can hide the default forms based auth, but a new account would use this initially regardless. The first logon would always be without MFA because A) I don't think *all* MFA methods can be pre-supplied, so you can't really require MFA at this point and B) Passwordstate doesn't even know their preference yet. After logging in Passwordstate can just set a flag in the account "like initial logon completed".
  3. Admin creates an account, supplies password to the user.
  4. User logs in.
  5. They should now go to their account settings and set up their preferred MFA method and set it as default. This default method should probably be a required field instead of being able to leave it on "inherit system setting" (nor forms auth), that's the entire point of being able to require "any" method (we don't *know* everyone's preferences, hence the system setting will not work for some).
  6. On the next logon Passwordstate will simply check their preference and direct them to the according screen.

Alternatively, at step 5 you could automatically redirect them to their account settings and display a message like "MFA is required by company policy, set it up now". Maybe you could even prevent them from leaving there until they set up at least 1 method and change their default preference.

 

Admins should have a way to let them recover their account if they forget to set up MFA though, perhaps a checkbox in the admin user settings like "redo initial setup on next logon". Then it will just restart at step 4.

 

On 3/23/2021 at 1:26 AM, support said:

Did you know user's can specify their own Authentication option on their Preferences screen? And on the screen Aministration -> System Settings -> Authentication Options tab, there is the option "Hide the following Authentication Options on User's Preferences screen" which can also be used.

That would still leave the choice up to the user though, so you can't really rely on that. What I mean is, as long as you can't enforce "any" MFA the user might just leave it as-is because it's more convenient. You do require user action at *some* point though, I don't see any way to prevent that. Just have to make it very clear to them to set up MFA when supplying the account, otherwise they won't be able to log in a second time.

 

Another benefit of being able to require "any" method is that you could use e.g. TOTP as fallback when your primary method temporarily isn't available, because with the current account policies you can only specify 1 method if I'm not mistaken. Of course this would require modifying the login process some more, since you'd need to be able to "cancel" the current method and use a different one. Of course this would be just an addition, it's not the core of the problem.

Link to comment
Share on other sites

On 3/22/2021 at 9:26 PM, support said:

We're not sure how this would work if we implemented it i.e. how would we know which authentication screen to direct them to?

Perhaps a list box of the enabled methods in the user preferences with up/down buttons to change the priority, and a configure button next to any that have yet to be configured or some other indication the user needs to take further action to use any specific one.

For handling user configuration of methods that require it, perhaps it might make sense to have some system in place to guide a user through 2FA setup on first login if none of their enabled 2FA methods have yet to be configured.

Or maybe a more general prompt; I'd love to have a way to nudge our users to using TOTP instead of email; perhaps a prompt that (if they have one 2FA method active but have more available to them) tells them they have more 2FA methods available and gives them links to configure one of their choice and lets administrators provide some message about what's recommended, and if they have none configured then force them to select one and just highlight the system default. 

 

On 3/22/2021 at 9:26 PM, support said:

Did you know user's can specify their own Authentication option on their Preferences screen? And on the screen Aministration -> System Settings -> Authentication Options tab, there is the option "Hide the following Authentication Options on User's Preferences screen" which can also be used.

That's part of the problem, because we can set a single 2FA method as default for everyone (e.g. email-based, since for us that can work immediately without any setup on the user's part) but if we showed them how to set up their preferred 2FA method, then they'll also be presented with options that we may have enabled for users with different needs and higher technical literacy, but could break their account if they were to just start poking around it themselves.

So perhaps the solution there would just be to make the enabled 2FA methods more granular in what users they effect by making it available in the user account policies.

 

Link to comment
Share on other sites

  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...